07-13-2009 06:47 AM - edited 02-21-2020 03:34 AM
We have two ASA 5510 firewalls with a tunnel between two sites. The tunnel works without issue until one of the sites experiences a brief outage due to the service provider. The VPN tunnel is not automatically establishing after the outage. It takes a restart of one of the ASA's before it will come back online. How do I get the devices to automatically try to restore the tunnel?
Chris
07-13-2009 07:32 AM
Chris-
If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN-to-LAN or Remote Access VPN, which includes VPN clients, tunnels and the tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN endpoints must support them.
*Cisco PIX/ASA 7.x and later, for the tunnel group named 10.165.205.222
securityappliance(config)#tunnel-group 10.165.205.222 ipsec-attributes
securityappliance(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Hope that helps.
07-14-2009 10:53 AM
Thanks for your reply Collin. As it stands, the "isakmp keepalive" command is enabled by default on ASA appliances with 7.2 code. The keepalive command has not been removed from the configuration. Both devices are ASA 5510's with 7.2 software running on them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide